Developing and implementing a continuous monitoring plan (CM) is a crucial part of your cyber security program. A CM plan should help you identify if your organization’s security controls continue to be effective over time, as things change and evolve.
What Should Be Included in a Plan
Your CM plan should include the capability to dynamically provide near real-time security status-related information to key members of an organization. This could include software vulnerabilities, network and system-level configuration changes, policy changes, and any control-based inconsistencies.
As great as the concept is, a well-defined CM plan can be very hard to implement. There simply isn’t a standard template available for every organization to use. Without the appropriate planning for security controls, preferably early in the system development life cycle, and the correct implementation of those controls, an under-developed plan can leave you with a false sense of security and awareness.
Identifying Critical Assets
There are many challenges associated with the roll-out of a CM plan. A strategy should be developed that provides visibility into assets and awareness of vulnerabilities for all departments within the organization.
Identifying and organizing your critical assets is essential to the CM process. This may include interviewing leaders within the business organization to gain an understanding and awareness of the business goals and objectives, identifying areas where problems exist, and understanding results from any prior security assessments.
For example, it should be clear across all the departments what assets are categorized as high, medium, and low, from a criticality aspect. Along with identifying critical and key assets, there should be a policy associated with how often these assets should be scanned, how long data should be retained, and how often data should be analyzed.
Performing Risk Analysis
Another major challenge when implementing a continuous monitoring plan is performing risk analysis and reporting. Risk management is going to be different and unique for each organization, however, metrics and values need to be identified based on your business requirements. Based upon the risk tolerance levels, security teams should be able to easily identify, analyze, and report these metrics to business leaders so that they can be aware and make well informed risk-based decisions.
Some examples of metrics may include:
- Risk scoring values
- Compliance and governance
- Risk tolerance level
- Consequences (due to a compromise)
Without these types of metrics, it can be difficult to perform a clear and concise analysis for decision-makers.
Lastly, selecting the correct selection of tools can often be difficult. The importance of each tool and its effectiveness is going to be different for each organization. Security teams need to know what to monitor, how to monitor, and where to monitor activity on the network.
Initially, it was tough to find tools that supported CM initiatives, however over the past few years, vendors have developed tools that are in-line with CM policies and strategies. One example is Security Content Automation Protocol, or SCAP, reporting. This includes the ability to deploy agent-based or agentless tools to support system configuration management, the capability to perform authenticated and unauthenticated vulnerability scans, and being able to scan for code or back-end issues in near real-time.
Nowadays, it’s more of a matter of how much of your budget is set aside for CM. It can also depend on the skill level of your security staff. In many cases, certain functionalities can be developed “in-house” as add-on capabilities to the current IT applications and software.
Implementing a continuous monitoring plan can be a daunting task and, although no system is 100% safe from potential security threats, it’s key to take the necessary steps to be aware of the ever-changing threat landscape. These steps include understanding the business goals and objectives. Once these goals and objectives can be identified more effort can be put into determining the right CM solutions to meet your business needs.